A custom firmware for Asus routers

Changelog (Current)

Asuswrt-Merlin 384 Changelog

General changes in the 384/NG branch vs 380.xx:
   - Clear your browser cache after flashing your first 384 build.
   - It's generally recommended to do a factory default reset
     when coming from 380 to 384/NG.
   - HDD spindown settings moved to the System settings page
   - SSL certificate management moved to the DDNS page for models
     that support Let's Encrypt
   - Nvram settings now have maximum lengths enforced, to protect
     against buffer overruns.  This means that some very long
     lists of settings might no longer be possible on 384.xx.

384.4 (16-Mar-2018)
   - NEW: Merged with GPL 384_20379 (with some binary components
          from 382_50010 and 384_20308 depending on models)
   - NEW: Added support for the RT-AC5300.
   - NEW: Added support for the RT-AC87U.
   - NEW: Added IPSEC support to the RT-AC86U.
   - NEW: Support the new Entware 64-bit repo on the RT-AC86U.
          To switch to the new repository, re-run the
          entware-setup.sh script.  You will need to reinstall
          your apps (your old config files are backed up on
          your USB disk).
   - CHANGED: Tightened security around some config files.
   - CHANGED: Allow guest networks settings for AP isolation
              and SSID broadcast to be set separately from
              their parent interface (John Bacho)
   - CHANGED: Samba protocol support can now be set to
              SMBv1, SMBv2, or SMBv1 + SMBv2 (the new default).
              This will result in a performance drop on all
              models but the RT-AC86U, but will be more secure.
              Ideally, people should change it to SMBv2 only,
              and then reboot all their client devices to start
              using only the new protocol.
   - CHANGED: Re-added some of the logging sd-idle used to do
              in 380.xx.
   - CHANGED: Switched to the new Entware repo for armv7 models.
              To upgrade, run the following commands TWICE:

              opkg update; opkg upgrade

   - FIXED: Resetting an OpenVPN client to default settings
            might revert back after a reboot.
   - FIXED: log flood from lldpd about "unable to send packet
            on real device" (moved to debug level)
   - FIXED: Potential racing condition that could lead to two
            instances of miniupnpd running at boot time.
   - FIXED: Single-char hostnames were rejected by DHCP static
            leasees page. (theMIROn)
   - FIXED: AiCloud could sometime generate a new SSL certificate
            that would overwrite the one stored in jffs.  Now,
            AiCloud can also use the same one uploaded by the
            user for the main webui, or the Let's Encrypt one.
   - REMOVED: Telnet server.  Please use SSH for console-based
   - REMOVED: SNMP support on the RT-AC86U (incompatible)
   - REMOVED: Merlin NAT loopback mode (was increasingly
              problematic as the firmware firewall handling became
              more complex)

384.3 (14-Feb-2018)
   - NOTE: To reduce confusion following the version
           bump to 384, the current Github repository
           was renamed from asuswrt-merlin.382 to
           asuswrt-merlin.ng (for New Generation).
           It's recommended that you update your
           local repository if you're a developer,
           for example by running:

              git remote set-url origin \

   - NOTE: AiMesh is currently not supported.  Feasability of
           supporting it is still under evaluation.
   - NEW: Merged with GPL 384_10007
   - NEW: Added support for RT-AC3200 (merged
          SDK 7.x-main + binary blobs from 382_19466).
   - NEW: nano can now be configured through /jffs/configs/nanorc
   - CHANGED: Allow up to 5 OpenVPN clients on RT-AC3200.
   - CHANGED: Updated nano to 2.9.3.
   - FIXED: Some routers coming from 380.xx would incorrectly
            report a new firmware available at boot time.
   - FIXED: Some broken clients (like Samsung TVs) try to use
            reserved hostnames - ignore these.  (theMIRon)
   - FIXED: Added missing IPv6 local hostnames (theMIRon)
   - FIXED: Issues withh DNS & broadcast relay for pptp
            clients (theMIRon)
   - FIXED: Fixed CVE-2018-5721 in httpd (Merlin & theMIROn)
   - FIXED: helper.js wasn't properly handling parentheses
   - FIXED: NAT acceleration of PPPoE for some models (fix
            backported from 382_50010)
   - FIXED: Networkmap-related issues on some models (missing
            tx/rx rate and such).
   - FIXED: ipset could cause the router to crash on the HND
            platform (john9527)
   - FIXED: Network Service Filter wasn't working when in
            Blacklist mode.
   - FIXED: Repeater mode (backport from 384_20287)

382.2 Beta (17-Jan-2018)
   - NOTE: Due to various issues with GPL 382_18991, the 382.2
           release is being dropped, and work is moving on to the
           next version.  382.2 beta releases remain available
           for those who still wish to use it (especially RT-AC56U
           users for whom there is no ETA as to when Asus will
           release the next GPL for that particular model.)
           Known issues include lack of PPPoE HW acceleration and
           Adaptive QoS sometimes failing to start at boot among

   - NOTE: The official IRC channel has moved to
           Freenode (#asuswrt).

   - NEW: Merged with GPL 382_18991.
          Most notable changes (will vary between models):
            - Added IPSec VPN server
            - Added IFTTT and Alexa support
            - Let's Encrypt support (DDNS page)
            - Better support for some longer settings (RT-AC86U)
   - NEW: Merged HND SDK + binary components from 382_18848
   - NEW: Added IPSec VPN status on the VPNStatus page.
   - NEW: Added support for RT-AC56U and RT-AC68U
          (and all of its variants)
   - NEW: Enabled support for Let's Encrypt on RT-AC56U and
          RT-AC68U (in addition to RT-AC88U/3100)
   - CHANGED: Moved HTTPS cert management to the DDNS page (where
              Asus has put theirs, as Let's Encrypt is tied to
              the DDNS configuration)
   - CHANGED: Updated openssl to 1.0.2n.
   - CHANGED: Updated tor to
   - CHANGED: Updated nano to 2.9.1.
   - CHANGED: Updated curl to 7.57.0.
   - CHANGED: Increased max length for OpenVPN custom settings from
              170 to 510 characters on RT-AC86U.
   - CHANGED: Updated miniupnod to Github snapshot 20171212.
   - CHANGED: OpenVPN firewall rules are now processed after the
              various security chains (access restriction, network
              service firewall, etc...), ensuring OVPN traffic no
              longer bypasses them.
   - FIXED: httpd crash on certain web pages if there are no Ethernet
            clients connected
   - FIXED: DNSFILTER rules would have priority over OPENVPN Client
            rules (when client has DNS set to Exclusive mode).
   - FIXED: traffic routing from the router itself would fail when
            restarting the firewall while using an ovpn client with
            policy rules in effect.
   - FIXED: Dashes were rejected when used in an OpenVPN policy
            client description.
   - REMOVED: Removed option to select between active and passive
              scan mode for a site survey (that code is now closed
              source and therefore that option can no longer be

382.1_2 (2-Dec-2017)
   - NEW: Added custom/add/postconf support for mcpd.conf (RT-AC86U)
   - CHANGED: Updated odhcp6c to latest upstream version
              (patch by theMIRon)
   - CHANGED: cifs and xt_set kernel modules will get automatically
              loaded as needed.
   - CHANGED: Updated openssl to 1.0.2m.
   - CHANGED: Updated libogg to 1.3.3 and libvorbis to 1.3.5.
   - CHANGED: Merged wireless components from GPL 382_18991 for
              RT-AC88U and RT-AC3100 (should in theory fix KRACK
              issue on these two models)
   - FIXED: allow IA_NA mode downgrade with forced IA_PD
            (for ISPs with broken IPv6 support)
            (patch by theMIRon)
   - FIXED: SSH brute force protection would break WAN
            connectivity (RT-AC86U)
   - FIXED: Wrong Trend Micro signature updater was used when
            compiling with FW update checker enabled.
   - FIXED: QoS Upload chart missing on PPPoE connections with
            Adaptive QoS enabled.
   - FIXED: client and vendor id fields on WAN page would fail
            to accept new values longer than 32 characters.
   - FIXED: The Desc field in the OpenVPN policy section would
            reject ":" if field contained a MAC address.
   - FIXED: Security issues CVE-2017-15275, CVE-2017-12163 and
            CVE-2017-12150 (backported to Samba 3.6 and 3.5)
   - FIXED: DHCP static lease list would refuse any change if
            the list of leases+hostnames was longer than 1000
            chars due to an HND platform limitation (RT-AC86U)

382.1 (12-Nov-2017)
   Asuswrt-Merlin 382 was rebuilt from a clean GPL codebase, as
   merging the new 382 GPL on top of the existing code proved too

   For simplicity, the following abbreviations are used below:
      AM380 = Asuswrt-Merlin 380.xxx
      AM382 = Asuswrt-Merlin 382.xxx
      Asus380 = Asus's
      Asus382 = Asus's

   AM382.1 is based on AM380.68_4 merged on top of a clean GPL.

   At this time, only the RT-AC86U, RT-AC88U and RT-AC3100
   are supported by AM382.  Other models will gradually be
   moved to AM382 as Asus upgrade them to the new 382 code
   base (and GPL code becomes available for them).

   This changelog will focus on changes that happened between
   AM380.68 and AM382.1, or between Asus382_16466 and AM382.

   Also note that the primary download site was changed to
   Sourceforge, due to numerous issues with Mediafire.  Onedrive
   will be the oficial mirror to the SF.net download site.

   - NEW: Moved to Asus382 codebase.  Some of the most important
          changes between Asus380 and Asus382:
            - New Trend Micro DPI engine, with two-way IPS
            - New networkmap service (now closed source)
            - New OpenVPN implementation (now closed source,
              not used by AM382)
            - Numerous security enhancements throughout the code

   - NEW: Merged with GPL 382_16466 (RT-AC86U).
   - NEW: Added support for the RT-AC86U and its Broadcom HND
          platform (HND SDK from GPL 382_18219).
          Note that IPTraffic is not supported by this model due to
          its newer Linux kernel.
   - NEW: Rewrote part of the OpenVPN implementation, as Asus's own
          is now closed source.  Asuswrt-Merlin's OpenVPN code will
          now be independent of Asus's.
   - NEW: Added support for inline CRLs when importing an ovpn file
   - NEW: Added support for fullcone NAT (RT-AC86U)
   - NEW: Added WiFi Radar (Broadcom's Visualization app) in the
          Wireless section.  You must enable data collection on
          its Configuration page for all charts to work properly.
   - NEW: Added option to disable the Asus NAT tunnel service under
          Other Settings -> Tweak.  Not quite sure what this
          partly closed source service is for, but it eats a
          fair amount of CPU and RAM.
   - NEW: Option on OpenVPN Server page to quickly choose
          between pushing LAN or LAN + Internet access (ported
          from Asus382)
   - NEW: Option to select the bitsize to use (1024 or 2048) when
          automatically generating the OpenVPN server key/certs
          (ported from Asus382)
   - CHANGED: Updated wget to 1.19.2 (fixing connectivity to some
              TLS 1.2 servers)
   - CHANGED: SSH host keys are now stored in /jffs/ssl/ rather
              than nvram.
   - CHANGED: SMB2 is enabled by default on RT-AC86U (no performance
              penalty on that platform)
   - CHANGED: Moved UPnP Secure Mode setting from the Tweaks section
              to the WAN page, next to other UPnP settings.
   - CHANGED: Moved "Modify key and certs" link to its own dedicated
              row and made it a button for improved visibility
              (OpenVPN client & server pages)
   - CHANGED: Updated OpenVPN to 2.4.4.
   - CHANGED: The firmware version check behaviour was slightly
              changed.  The "Get Beta" checkbox will now check
              both the Beta and the Release channels for new
              version availability.  Automatic scheduled checks
              will still only check the Release channel.
   - CHANGED: Layout improvements to the SNMP, Login, and
              Operation Mode pages (patches by Alin Trăistaru)
   - CHANGED: Report both the local client IP as well as the
              public/visible IP on the OpenVPN client page once
              a client is connected (same info that was already
              available on the VPN Status page).
   - CHANGED: Moved Disk spindown settings to the System page,
              to match with Asus382 which now offers this feature.
   - REMOVED: Obsolete/exotic HMAC digests for OpenVPN servers (to
              match with Asus' own supported list)
   - REMOVED: "Custom" OpenVPN authentication mode (which probably
              nobody used or even understood).